Identification of internal threats based on network traffic is a critical goal of any network security appliance. An internal threat in the context of this document is defined by unauthorized access by a user to a restricted resource. While the computer or machine in question may be typically accessed for more common purposes, the restricted resource may actually be a service that allows for specific uses such as administration of a machine. This user may or may not be an employee or contractor of the company responsible for this resource. The user may gain access to this resource through stolen credentials, malware, or other means. Typically, the restricted resources of interest are accessed via specific protocols usually used for administration.
To explain, consider the illustrative example shown in FIG. 1A. Here, a set of hosts within a network are accessed by an administrative node to perform certain administrative operations. As shown in FIG. 1B, the issue is that a malicious entity on an attacker node may attempt to use administrative protocols and/or perform administrative operations upon those hosts in the network. The problem is that with conventional systems, it is often very difficult to effectively and efficiently detect this type of malicious activity.
Many existing network security products may attempt to detect unauthorized access to a machine via access logs. However, fine grain logging might not always be supported by the target device, and the accounts being used are likely to be “superuser” or “root” which are authorized but used maliciously. Also, using centralized authentication is sometimes impossible or risky to implement in architecture devices such as switches, routers, or baseboard management controllers. In more dynamic environments such as virtual machine based datacenters, the logging is sometime not performed due to the transient nature of the target host.
As is evident, there is a need for an improved approach to identify suspicious administrative activity within a network.